How to secure Connection Strings
Secure your Connection String
If you have a website in a Shared web hosting service you should be worried about that the website maybe get hacked. Here what really happens is a user makes a HTTP request, your web application processes the request including connecting to the database, and returns the result to the user . Sending the connectionstring over HTTP will be just as plain text.
Encrypt or Decrypt Connection Strings in a web.config file
The connection string in the Web.config file contains sensitive information of database such as connectionstring parameters. To avoid these problems you can improve the security of sensitive information stored in a connection string by using built in protected configuration model functionality to encrypt or decrypt few sections of a web.config file .
How to encrypting the connection string in ASP.NET ?
You can encrypt the connectionstring section of a web.config file by using aspnet_regiis.exe command line tool, so it is never stored as plain text. This file is located in the %systemroot%\Microsoft.NET\Framework\versionNumber folder and you can use with -pef option. Consider you have an application named as MyWebApp. You can encrypt the connectionStrings section of the Web.config file by using aspnet_regiis.exe as follows :
-pef indicates that the application is built as File System website and second argument connectionStrings indicates the name of configuration section needs to be encrypted and the third argument is the physical path where the web.config file is located.
If you are using IIS based web application the command will be,
The -pe option, passing it the string "connectionStrings" to encrypt the connectionStrings element.
The -app option, passing it the name of your application.
After running the tool successfully .. you will receive a message "Encrypting configuration section...Succeeded!"
How to decrypt the connection string in ASP.NET ?
When you want to decrypt the encrypted Web.config file, run the aspnet_regiis.exe tool with the -pd option. The syntax is the same as encrypting Web.config file contents with the -pe option except that you do not specify a protected configuration provider.